Skip to content

MEDIUM: Server binds 0.0.0.0, age truncation, PHI logging, default passwords #55

New issue
New issue
Open
Open
MEDIUM: Server binds 0.0.0.0, age truncation, PHI logging, default passwords#55
Labels
securitySecurity vulnerabilities and audit findings
@AlexMikhalev

Description

@AlexMikhalev
AlexMikhalev
opened on Feb 24, 2026

Security Findings - MEDIUM (batch)

Source: Security audit (2026-02-24)

Finding 6: Server Binds to 0.0.0.0 by Default

  • Location: crates/terraphim-api/src/lib.rs:17
  • Fix: Default to 127.0.0.1, allow override via API_HOST env var

Finding 7: Integer Truncation in Patient Age

  • Location: crates/terraphim-api/src/service.rs:302
  • profile.age as u8 truncates u32 silently (300 -> 44)
  • Fix: Validate age 0-150, return 400 for out-of-range

Finding 8: Debug Logging of Patient Clinical Data (PHI)

  • Location: crates/terraphim-api/src/routes/mod.rs:91-93
  • Patient age, sex, diagnoses logged at debug level
  • Fix: Never log PHI, use anonymized identifiers

Finding 9: WebSocket No Connection Limits

  • Location: crates/terraphim-api/src/routes/mod.rs:301-384
  • No connection limits, auth, idle timeout, or backpressure
  • Fix: Add semaphore for concurrent workflows, add auth + timeouts

Finding 11: Grafana Default Admin Password

  • Location: docker/docker-compose.yml:113
  • GF_SECURITY_ADMIN_PASSWORD defaults to admin
  • Fix: Remove default, fail if not set

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerabilities and audit findings

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions